Amazon Identity and Access Management中的角色Amazon ParallelCluster3.x - Amazon ParallelCluster
Amazon Web Services 文档中描述的 Amazon Web Services 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅中国的 Amazon Web Services 服务入门

本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。

Amazon Identity and Access Management中的角色Amazon ParallelCluster3.x

Amazon ParallelCluster使用Amazon Identity and Access Management(IAM) 角色用于控制与关联的权限Amazon资源部署到Amazon账户。中Amazon ParallelCluster我们可以识别两种类型的 IAM 角色:一种是调用 CLI 命令的用户担任的角色,另一种是与之关联的角色Amazon ParallelCluster资源,例如在集群中启动的 EC2 实例。

默认情况下,Amazon ParallelCluster负责创建所有必需的 IAM 角色,这些角色使用所需的最少策略集进行配置Amazon ParallelCluster资源。但是,调用各种Amazon ParallelCluster操作必须具有正确的权限级别才能创建或修改所有必要的资源。

将现有 IAM 角色与Amazon ParallelCluster

在创建集群或构建自定义 EC2 映像时,您可以使用现有的 IAM 角色。通常,您可以选择现有的 IAM 角色来完全控制授予的权限Amazon ParallelCluster资源和集群的用户。以下示例显示了两者都调用所需的 IAM 策略和角色Amazon ParallelCluster与集群 EC2 实例相关的功能和自定义权限。

在策略中,替换<REGION>,<Amazon ACCOUNT ID>,以及具有适当值的类似字符串。

Amazon ParallelCluster用户策略示例

这些区域有:Amazon ParallelCluster用户角色是指用户担任的 IAM 角色Amazon ParallelClusterCLI。您可以将策略附加到用户角色。

需要基本用户策略才能调用Amazon ParallelCluster功能

以下策略显示了运行所需的权限Amazon ParallelCluster命令。您必须创建一个管理 IAM 资源权限的策略用于创建集群。

策略中列出的最后一个操作用于验证集群配置中指定的任何密钥。例如,一个Amazon Secrets Manager密钥用于配置DirectoryService集成。在这种情况下,只有当集群中存在有效密钥时,才会创建集群PasswordSecretArn. 如果省略此操作,则跳过密钥验证。为了改善您的安全状况,我们建议您通过仅添加集群配置中指定的密钥来缩小此策略声明的范围。

注意

如果现有的 Amazon EFS 文件系统是集群中使用的唯一文件系统,则可以将示例 Amazon EFS 策略语句的范围缩小到中引用的特定文件系统SharedStorage 部分集群配置文件的。

{ "Version": "2012-10-17", "Statement": [ { "Action": [ "ec2:Describe*" ], "Resource": "*", "Effect": "Allow", "Sid": "EC2Read" }, { "Action": [ "ec2:AllocateAddress", "ec2:AssociateAddress", "ec2:AttachNetworkInterface", "ec2:AuthorizeSecurityGroupEgress", "ec2:AuthorizeSecurityGroupIngress", "ec2:CreateFleet", "ec2:CreateLaunchTemplate", "ec2:CreateLaunchTemplateVersion", "ec2:CreateNetworkInterface", "ec2:CreatePlacementGroup", "ec2:CreateSecurityGroup", "ec2:CreateSnapshot", "ec2:CreateTags", "ec2:CreateVolume", "ec2:DeleteLaunchTemplate", "ec2:DeleteNetworkInterface", "ec2:DeletePlacementGroup", "ec2:DeleteSecurityGroup", "ec2:DeleteVolume", "ec2:DisassociateAddress", "ec2:ModifyLaunchTemplate", "ec2:ModifyNetworkInterfaceAttribute", "ec2:ModifyVolume", "ec2:ModifyVolumeAttribute", "ec2:ReleaseAddress", "ec2:RevokeSecurityGroupEgress", "ec2:RevokeSecurityGroupIngress", "ec2:RunInstances", "ec2:TerminateInstances" ], "Resource": "*", "Effect": "Allow", "Sid": "EC2Write" }, { "Action": [ "dynamodb:DescribeTable", "dynamodb:ListTagsOfResource", "dynamodb:CreateTable", "dynamodb:DeleteTable", "dynamodb:GetItem", "dynamodb:PutItem", "dynamodb:UpdateItem", "dynamodb:Query", "dynamodb:TagResource" ], "Resource": "arn:aws:dynamodb:*:<Amazon ACCOUNT ID>:table/parallelcluster-*", "Effect": "Allow", "Sid": "DynamoDB" }, { "Action": [ "route53:ChangeResourceRecordSets", "route53:ChangeTagsForResource", "route53:CreateHostedZone", "route53:DeleteHostedZone", "route53:GetChange", "route53:GetHostedZone", "route53:ListResourceRecordSets", "route53:ListQueryLoggingConfigs" ], "Resource": "*", "Effect": "Allow", "Sid": "Route53HostedZones" }, { "Action": [ "cloudformation:*" ], "Resource": "*", "Effect": "Allow", "Sid": "CloudFormation" }, { "Action": [ "cloudwatch:PutDashboard", "cloudwatch:ListDashboards", "cloudwatch:DeleteDashboards", "cloudwatch:GetDashboard" ], "Resource": "*", "Effect": "Allow", "Sid": "CloudWatch" }, { "Action": [ "iam:GetRole", "iam:GetRolePolicy", "iam:GetPolicy", "iam:SimulatePrincipalPolicy", "iam:GetInstanceProfile" ], "Resource": [ "arn:aws:iam::<Amazon ACCOUNT ID>:role/*", "arn:aws:iam::<Amazon ACCOUNT ID>:policy/*", "arn:aws:iam::aws:policy/*", "arn:aws:iam::<Amazon ACCOUNT ID>:instance-profile/*" ], "Effect": "Allow", "Sid": "IamRead" }, { "Action": [ "iam:CreateInstanceProfile", "iam:DeleteInstanceProfile", "iam:AddRoleToInstanceProfile", "iam:RemoveRoleFromInstanceProfile" ], "Resource": [ "arn:aws:iam::<Amazon ACCOUNT ID>:instance-profile/parallelcluster/*" ], "Effect": "Allow", "Sid": "IamInstanceProfile" }, { "Condition": { "StringEqualsIfExists": { "iam:PassedToService": [ "lambda.amazonaws.com", "ec2.amazonaws.com", "spotfleet.amazonaws.com" ] } }, "Action": [ "iam:PassRole" ], "Resource": [ "arn:aws:iam::<Amazon ACCOUNT ID>:role/parallelcluster/*" ], "Effect": "Allow", "Sid": "IamPassRole" }, { "Action": [ "lambda:CreateFunction", "lambda:DeleteFunction", "lambda:GetFunctionConfiguration", "lambda:GetFunction", "lambda:InvokeFunction", "lambda:AddPermission", "lambda:RemovePermission", "lambda:UpdateFunctionConfiguration", "lambda:TagResource", "lambda:ListTags", "lambda:UntagResource" ], "Resource": [ "arn:aws:lambda:*:<Amazon ACCOUNT ID>:function:parallelcluster-*", "arn:aws:lambda:*:<Amazon ACCOUNT ID>:function:pcluster-*" ], "Effect": "Allow", "Sid": "Lambda" }, { "Action": [ "s3:*" ], "Resource": [ "arn:aws:s3:::parallelcluster-*", "arn:aws:s3:::aws-parallelcluster-*" ], "Effect": "Allow", "Sid": "S3ResourcesBucket" }, { "Action": [ "s3:Get*", "s3:List*" ], "Resource": "arn:aws:s3:::*-aws-parallelcluster*", "Effect": "Allow", "Sid": "S3ParallelClusterReadOnly" }, { "Action": [ "elasticfilesystem:*" ], "Resource": [ "arn:aws:elasticfilesystem:*:<Amazon ACCOUNT ID>:*" ], "Effect": "Allow", "Sid": "EFS" }, { "Action": [ "logs:DeleteLogGroup", "logs:PutRetentionPolicy", "logs:DescribeLogGroups", "logs:CreateLogGroup", "logs:FilterLogEvents", "logs:GetLogEvents", "logs:CreateExportTask", "logs:DescribeLogStreams", "logs:DescribeExportTasks" ], "Resource": "*", "Effect": "Allow", "Sid": "CloudWatchLogs" }, { "Action": "secretsmanager:DescribeSecret", "Resource": "arn:aws:secretsmanager:<REGION>:<Amazon ACCOUNT ID>:secret:<SECRET NAME>", "Effect": "Allow" } ] }

使用时的其他用户政策Amazon Batch调度器

如果你需要使用以下命令创建和管理集群Amazon Batch调度程序,需要以下附加策略。

{ "Version": "2012-10-17", "Statement": [ { "Condition": { "StringEqualsIfExists": { "iam:PassedToService": [ "ecs-tasks.amazonaws.com", "batch.amazonaws.com", "codebuild.amazonaws.com" ] } }, "Action": [ "iam:PassRole" ], "Resource": [ "arn:aws:iam::<Amazon ACCOUNT ID>:role/parallelcluster/*" ], "Effect": "Allow", "Sid": "IamPassRole" }, { "Condition": { "StringEquals": { "iam:AWSServiceName": [ "batch.amazonaws.com" ] } }, "Action": [ "iam:CreateServiceLinkedRole", "iam:DeleteServiceLinkedRole" ], "Resource": [ "arn:aws:iam::<Amazon ACCOUNT ID>:role/aws-service-role/batch.amazonaws.com/*" ], "Effect": "Allow" }, { "Action": [ "codebuild:*" ], "Resource": "arn:aws:codebuild:*:<Amazon ACCOUNT ID>:project/pcluster-*", "Effect": "Allow" }, { "Action": [ "ecr:*" ], "Resource": "*", "Effect": "Allow", "Sid": "ECR" }, { "Action": [ "batch:*" ], "Resource": "*", "Effect": "Allow", "Sid": "Batch" }, { "Action": [ "events:*" ], "Resource": "*", "Effect": "Allow", "Sid": "AmazonCloudWatchEvents" }, { "Action": [ "ecs:DescribeContainerInstances", "ecs:ListContainerInstances" ], "Resource": "*", "Effect": "Allow", "Sid": "ECS" } ] }

使用Amazon FSx for Lustre(适用于Lustre)

如果您需要使用 Amazon FSx for Lustre 创建和管理集群,则需要以下额外策略。

注意

如果现有的 Amazon FSx 文件系统是集群中使用的唯一文件系统,则可以将示例 Amazon FSx 策略声明的范围缩小到中引用的特定文件系统SharedStorage 部分集群配置文件的。

{ "Version": "2012-10-17", "Statement": [ { "Condition": { "StringEquals": { "iam:AWSServiceName": [ "fsx.amazonaws.com", "s3.data-source.lustre.fsx.amazonaws.com" ] } }, "Action": [ "iam:CreateServiceLinkedRole", "iam:DeleteServiceLinkedRole" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "fsx:*" ], "Resource": [ "arn:aws:fsx:*:<Amazon ACCOUNT ID>:*" ], "Effect": "Allow", "Sid": "FSx" }, { "Action": [ "iam:CreateServiceLinkedRole", "iam:AttachRolePolicy", "iam:PutRolePolicy" ], "Resource": "arn:aws:iam::<Amazon ACCOUNT ID>:role/aws-service-role/s3.data-source.lustre.fsx.amazonaws.com/*", "Effect": "Allow" }, { "Action": [ "s3:Get*", "s3:List*", "s3:PutObject" ], "Resource": "arn:aws:s3:::<S3 NAME>", "Effect": "Allow" } ] }

要使用的用户使用 policyAmazon ParallelCluster映像构建功能

打算使用创建自定义 EC2 镜像的用户Amazon ParallelCluster需要具有以下权限集。

{ "Version": "2012-10-17", "Statement": [ { "Action": [ "ec2:DescribeImages", "ec2:DescribeInstanceTypeOfferings", "ec2:DescribeInstanceTypes", "ec2:DeregisterImage", "ec2:DeleteSnapshot" ], "Resource": "*", "Effect": "Allow", "Sid": "EC2" }, { "Action": [ "iam:CreateInstanceProfile", "iam:AddRoleToInstanceProfile", "iam:GetRole", "iam:GetRolePolicy", "iam:GetInstanceProfile", "iam:RemoveRoleFromInstanceProfile" ], "Resource": [ "arn:aws:iam::<Amazon ACCOUNT ID>:instance-profile/parallelcluster/*", "arn:aws:iam::<Amazon ACCOUNT ID>:instance-profile/ParallelClusterImage*", "arn:aws:iam::<Amazon ACCOUNT ID>:role/parallelcluster/*" ], "Effect": "Allow", "Sid": "IAM" }, { "Condition": { "StringEquals": { "iam:PassedToService": [ "lambda.amazonaws.com", "ec2.amazonaws.com" ] } }, "Action": [ "iam:PassRole" ], "Resource": [ "arn:aws:iam::<Amazon ACCOUNT ID>:instance-profile/parallelcluster/*", "arn:aws:iam::<Amazon ACCOUNT ID>:role/parallelcluster/*" ], "Effect": "Allow", "Sid": "IAMPassRole" }, { "Action": [ "logs:CreateLogGroup", "logs:DeleteLogGroup" ], "Resource": [ "arn:aws:logs:*:<Amazon ACCOUNT ID>:log-group:/aws/imagebuilder/ParallelClusterImage-*", "arn:aws:logs:*:<Amazon ACCOUNT ID>:log-group:/aws/lambda/ParallelClusterImage-*" ], "Effect": "Allow", "Sid": "CloudWatch" }, { "Action": [ "cloudformation:DescribeStacks", "cloudformation:CreateStack", "cloudformation:DeleteStack" ], "Resource": [ "arn:aws:cloudformation:*:<Amazon ACCOUNT ID>:stack/*" ], "Effect": "Allow", "Sid": "CloudFormation" }, { "Action": [ "lambda:CreateFunction", "lambda:GetFunction", "lambda:AddPermission", "lambda:RemovePermission", "lambda:DeleteFunction", "lambda:TagResource", "lambda:ListTags", "lambda:UntagResource" ], "Resource": [ "arn:aws:lambda:*:<Amazon ACCOUNT ID>:function:ParallelClusterImage-*" ], "Effect": "Allow", "Sid": "Lambda" }, { "Action": [ "imagebuilder:Get*" ], "Resource": "*", "Effect": "Allow", "Sid": "ImageBuilderGet" }, { "Action": [ "imagebuilder:CreateImage", "imagebuilder:TagResource", "imagebuilder:CreateImageRecipe", "imagebuilder:CreateComponent", "imagebuilder:CreateDistributionConfiguration", "imagebuilder:CreateInfrastructureConfiguration", "imagebuilder:DeleteImage", "imagebuilder:DeleteComponent", "imagebuilder:DeleteImageRecipe", "imagebuilder:DeleteInfrastructureConfiguration", "imagebuilder:DeleteDistributionConfiguration" ], "Resource": [ "arn:aws:imagebuilder:*:<Amazon ACCOUNT ID>:image/parallelclusterimage-*", "arn:aws:imagebuilder:*:<Amazon ACCOUNT ID>:image-recipe/parallelclusterimage-*", "arn:aws:imagebuilder:*:<Amazon ACCOUNT ID>:component/parallelclusterimage-*", "arn:aws:imagebuilder:*:<Amazon ACCOUNT ID>:distribution-configuration/parallelclusterimage-*", "arn:aws:imagebuilder:*:<Amazon ACCOUNT ID>:infrastructure-configuration/parallelclusterimage-*" ], "Effect": "Allow", "Sid": "ImageBuilder" }, { "Action": [ "s3:CreateBucket", "s3:ListBucket", "s3:ListBucketVersions" ], "Resource": [ "arn:aws:s3:::parallelcluster-*" ], "Effect": "Allow", "Sid": "S3Bucket" }, { "Action": [ "sns:GetTopicAttributes", "sns:TagResource", "sns:CreateTopic", "sns:Subscribe", "sns:Publish", "SNS:DeleteTopic", "SNS:Unsubscribe" ], "Resource": [ "arn:aws:sns:*:<Amazon ACCOUNT ID>:ParallelClusterImage-*" ], "Effect": "Allow", "Sid": "SNS" }, { "Action": [ "s3:PutObject", "s3:GetObject", "s3:GetObjectVersion", "s3:DeleteObject", "s3:DeleteObjectVersion" ], "Resource": [ "arn:aws:s3:::parallelcluster-*/*" ], "Effect": "Allow", "Sid": "S3Objects" }, { "Action": "iam:CreateServiceLinkedRole", "Effect": "Allow", "Resource": "arn:aws:iam::*:role/aws-service-role/imagebuilder.amazonaws.com/AWSServiceRoleForImageBuilder", "Condition": { "StringLike": { "iam:AWSServiceName": "imagebuilder.amazonaws.com" } } } ] }

管理 IAM 资源的用户策略

使用时Amazon ParallelCluster要创建集群或自定义 AMI,需要提供 IAM 策略和角色,以便向各种 AMI 授予所需的一组权限Amazon ParallelCluster组件。这样的 IAM 资源可以通过以下方式自动创建Amazon ParallelCluster或者需要在创建集群或自定义镜像资源时作为输入提供。

基于授予的额外 IAM 策略Amazon ParallelCluster用户我们可以启用以下使用案例:

特权 IAM 访问模式

使用此模式Amazon ParallelCluster负责自动创建所有必要的 IAM 资源。将创建 IAM 资源委托给Amazon ParallelCluster因为 IAM 策略的范围缩小到仅允许访问集群资源。

要启用特权 IAM 访问模式,请将以下策略添加到Amazon ParallelCluster用户角色。

注意

如果你配置HeadNode/Iam/AdditionalPolicies要么Scheduling/SlurmQueues/Iam/AdditionalPolicies参数,您必须为每个附加策略提供附加和分离角色策略的用户权限,如以下策略所示。将附加策略 ARN 添加到附加和分离角色策略的条件中。

警告

此模式使用户能够在中拥有 IAM 管理员权限Amazon Web Services 账户

{ "Version": "2012-10-17", "Statement": [ { "Action": [ "iam:CreateServiceLinkedRole", "iam:DeleteRole", "iam:TagRole" ], "Resource": [ "arn:aws:iam::<Amazon ACCOUNT ID>:role/parallelcluster/*" ], "Effect": "Allow", "Sid": "IamRole" }, { "Action": [ "iam:CreateRole" ], "Resource": [ "arn:aws:iam::<Amazon ACCOUNT ID>:role/parallelcluster/*" ], "Effect": "Allow", "Sid": "IamCreateRole" }, { "Action": [ "iam:PutRolePolicy", "iam:DeleteRolePolicy" ], "Resource": "arn:aws:iam::<Amazon ACCOUNT ID>:role/parallelcluster/*", "Effect": "Allow", "Sid": "IamInlinePolicy" }, { "Condition": { "ArnLike": { "iam:PolicyARN": [ "arn:aws:iam::<Amazon ACCOUNT ID>:policy/parallelcluster*", "arn:aws:iam::<Amazon ACCOUNT ID>:policy/parallelcluster/*", "arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy", "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore", "arn:aws:iam::aws:policy/AWSBatchFullAccess", "arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess", "arn:aws:iam::aws:policy/service-role/AWSBatchServiceRole", "arn:aws:iam::aws:policy/service-role/AmazonEC2ContainerServiceforEC2Role", "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy", "arn:aws:iam::aws:policy/service-role/AmazonEC2SpotFleetTaggingRole", "arn:aws:iam::aws:policy/EC2InstanceProfileForImageBuilder", "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" ] } }, "Action": [ "iam:AttachRolePolicy", "iam:DetachRolePolicy" ], "Resource": "arn:aws:iam::<Amazon ACCOUNT ID>:role/parallelcluster/*", "Effect": "Allow", "Sid": "IamPolicy" } ] }

受限 IAM 访问模式

当未向其授予其他 IAM 策略时Amazon ParallelCluster用户、集群或自定义映像构建所需的 IAM 角色需要由 IAM 管理员手动创建,并作为资源配置的一部分传递。

创建集群时,以下参数为必需参数:

构建自定义映像时,以下参数为必需参数:

作为上面列出的参数的一部分传递的 IAM 角色必须在/parallelcluster/路径前缀。如果这不可能Amazon ParallelCluster需要更新用户策略才能授予iam:PassRole特定自定义角色的权限,如下例所示。

{ "Condition": { "StringEqualsIfExists": { "iam:PassedToService": [ "ecs-tasks.amazonaws.com", "lambda.amazonaws.com", "ec2.amazonaws.com", "spotfleet.amazonaws.com", "batch.amazonaws.com", "codebuild.amazonaws.com" ] } }, "Action": [ "iam:PassRole" ], "Resource": [ <list all custom IAM roles> ], "Effect": "Allow", "Sid": "IamPassRole" }
警告

目前,此模式不允许管理Amazon Batch集群,因为并非所有 IAM 角色都可以在集群配置中传递。

PermissionsBoundary模式

此模式委托给Amazon ParallelCluster创建 IAM 角色,但是此类角色绑定到配置的 IAM 权限边界。有关 IAM 权限界限的更多信息,请参阅IAM 实体的权限边界在里面IAM 用户指南.

需要将以下策略添加到Amazon ParallelCluster用户角色。

在政策中,替换<permissions-boundary-arn>将 IAM 策略 ARN 作为权限边界强制执行。

警告

如果你配置了HeadNode/Iam/AdditionalPolicies要么Scheduling/SlurmQueues/Iam/AdditionalPolicies参数,您必须授予用户为每个附加策略附加和分离角色策略的权限,如以下策略所示。将附加策略 ARN 添加到附加和分离角色策略的条件中。

{ "Version": "2012-10-17", "Statement": [ { "Action": [ "iam:CreateServiceLinkedRole", "iam:DeleteRole", "iam:TagRole" ], "Resource": [ "arn:aws:iam::<Amazon ACCOUNT ID>:role/parallelcluster/*" ], "Effect": "Allow", "Sid": "IamRole" }, { "Condition": { "StringEquals": { "iam:PermissionsBoundary": [ <permissions-boundary-arn> ] } }, "Action": [ "iam:CreateRole" ], "Resource": [ "arn:aws:iam::<Amazon ACCOUNT ID>:role/parallelcluster/*" ], "Effect": "Allow", "Sid": "IamCreateRole" }, { "Condition": { "StringEquals": { "iam:PermissionsBoundary": [ <permissions-boundary-arn> ] } }, "Action": [ "iam:PutRolePolicy", "iam:DeleteRolePolicy" ], "Resource": "arn:aws:iam::<Amazon ACCOUNT ID>:role/parallelcluster/*", "Effect": "Allow", "Sid": "IamInlinePolicy" }, { "Condition": { "StringEquals": { "iam:PermissionsBoundary": [ <permissions-boundary-arn> ] }, "ArnLike": { "iam:PolicyARN": [ "arn:aws:iam::<Amazon ACCOUNT ID>:policy/parallelcluster*", "arn:aws:iam::<Amazon ACCOUNT ID>:policy/parallelcluster/*", "arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy", "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore", "arn:aws:iam::aws:policy/AWSBatchFullAccess", "arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess", "arn:aws:iam::aws:policy/service-role/AWSBatchServiceRole", "arn:aws:iam::aws:policy/service-role/AmazonEC2ContainerServiceforEC2Role", "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy", "arn:aws:iam::aws:policy/service-role/AmazonEC2SpotFleetTaggingRole", "arn:aws:iam::aws:policy/EC2InstanceProfileForImageBuilder", "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" ] } }, "Action": [ "iam:AttachRolePolicy", "iam:DetachRolePolicy" ], "Resource": "arn:aws:iam::<Amazon ACCOUNT ID>:role/parallelcluster/*", "Effect": "Allow", "Sid": "IamPolicy" } ] }

启用此模式后,在通过创建/更新集群时必须指定权限边界 ARNIam/PermissionsBoundary配置参数以及通过构建自定义镜像时Build/Iam/PermissionBoundary参数。

Amazon ParallelCluster控制 IAM 权限的参数

Amazon ParallelCluster提供了一系列配置选项,用于控制和自定义集群中或自定义 AMI 创建过程中使用的 IAM 角色。

集群配置

头节点 IAM 角色

HeadNode / Iam / InstanceRole | InstanceProfile

此选项允许覆盖分配给集群头节点的默认 IAM 角色。有关其他详细信息,请参阅InstanceProfile引用。

以下是调度器为 Slurm 时用作此角色的一部分的最小策略集:

  • arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy托管的 IAM 策略。有关更多信息,请参阅创建 IAM 角色和用户以用于 CloudWatch 代理人在里面亚马逊 CloudWatch 用户指南.

  • arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore托管的 IAM 策略。有关更多信息,请参阅Amazon适用于 的托管策略Amazon Systems Manager在里面Amazon Systems Manager用户指南.

  • 其他 IAM policy

    { "Version": "2012-10-17", "Statement": [ { "Action": [ "s3:GetObject", "s3:GetObjectVersion" ], "Resource": [ "arn:aws:s3:::<REGION>-aws-parallelcluster/*", "arn:aws:s3:::dcv-license.<REGION>/*", "arn:aws:s3:::parallelcluster-*-v1-do-not-delete/*" ], "Effect": "Allow" }, { "Action": [ "dynamodb:GetItem", "dynamodb:PutItem", "dynamodb:UpdateItem", "dynamodb:BatchWriteItem" ], "Resource": "arn:aws:dynamodb:<REGION>:<Amazon ACCOUNT ID>:table/parallelcluster-*", "Effect": "Allow" }, { "Condition": { "StringEquals": { "ec2:ResourceTag/parallelcluster:node-type": "Compute" } }, "Action": "ec2:TerminateInstances", "Resource": "*", "Effect": "Allow" }, { "Action": [ "ec2:RunInstances", "ec2:CreateFleet" ] "Resource": "*", "Effect": "Allow" }, { "Condition": { "StringEquals": { "iam:PassedToService": [ "ec2.amazonaws.com" ] } }, "Action": [ "iam:PassRole" ], "Resource": [ "arn:aws:iam::<Amazon ACCOUNT ID>:role/parallelcluster/*", "arn:aws:iam::<Amazon ACCOUNT ID>:instance-profile/parallelcluster/*" ], "Effect": "Allow" }, { "Action": [ "ec2:DescribeInstances", "ec2:DescribeInstanceStatus", "ec2:DescribeVolumes", "ec2:DescribeInstanceAttribute", "ec2:DescribeCapacityReservations" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "ec2:CreateTags", "ec2:AttachVolume" ], "Resource": [ "arn:aws:ec2:<REGION>:<Amazon ACCOUNT ID>:instance/*", "arn:aws:ec2:<REGION>:<Amazon ACCOUNT ID>:volume/*" ], "Effect": "Allow" }, { "Action": [ "cloudformation:DescribeStackResource", "cloudformation:SignalResource" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "route53:ChangeResourceRecordSets" ], "Resource": "*", "Effect": "Allow" }, { "Action": "secretsmanager:GetSecretValue", "Resource": "arn:aws:secretsmanager:<REGION>:<Amazon ACCOUNT ID>:secret:<SECRET_ID>", "Effect": "Allow" } ] }

请注意,以防万一Scheduling/SlurmQueues/Iam/InstanceRole用于替换 compute IAM 角色,上面报告的头节点策略需要在Resource部分iam:PassRole权限。

以下是调度器处于调度程序时用作此角色的一部分的最小策略集Amazon Batch:

  • arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy托管的 IAM 策略。有关更多信息,请参阅创建 IAM 角色和用户以用于 CloudWatch 代理人在里面亚马逊 CloudWatch 用户指南.

  • arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore托管的 IAM 策略。有关更多信息,请参阅Amazon适用于 的托管策略Amazon Systems Manager在里面Amazon Systems Manager用户指南.

  • 其他 IAM policy

    { "Version": "2012-10-17", "Statement": [ { "Action": [ "s3:GetObject", "s3:PutObject", "s3:GetObjectVersion" ], "Resource": [ "arn:aws:s3:::parallelcluster-*-v1-do-not-delete/*" ], "Effect": "Allow" }, { "Action": "s3:GetObject", "Resource": [ "arn:aws:s3:::dcv-license.<REGION>/*", "arn:aws:s3:::<REGION>-aws-parallelcluster/*" ], "Effect": "Allow" }, { "Condition": { "StringEquals": { "iam:PassedToService": [ "batch.amazonaws.com" ] } }, "Action": [ "iam:PassRole" ], "Resource": [ "arn:aws:iam::<Amazon ACCOUNT ID>:role/parallelcluster/*", "arn:aws:iam::<Amazon ACCOUNT ID>:instance-profile/parallelcluster/*" ], "Effect": "Allow" }, "Action": [ "batch:DescribeJobQueues", "batch:DescribeJobs", "batch:ListJobs", "batch:DescribeComputeEnvironments" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "batch:SubmitJob", "batch:TerminateJob", "logs:GetLogEvents", "ecs:ListContainerInstances", "ecs:DescribeContainerInstances", ], "Resource": [ "arn:aws:logs:<REGION>:<Amazon ACCOUNT ID>:log-group:/aws/batch/job:log-stream:PclusterJobDefinition*", "arn:aws:ecs:<REGION>:<Amazon ACCOUNT ID>:container-instance/AWSBatch-PclusterComputeEnviron*", "arn:aws:ecs:<REGION>:<Amazon ACCOUNT ID>:cluster/AWSBatch-Pcluster*", "arn:aws:batch:<REGION>:<Amazon ACCOUNT ID>:job-queue/PclusterJobQueue*", "arn:aws:batch:<REGION>:<Amazon ACCOUNT ID>:job-definition/PclusterJobDefinition*:*", "arn:aws:batch:<REGION>:<Amazon ACCOUNT ID>:job/*" ], "Effect": "Allow" }, { "Action": [ "ec2:DescribeInstances", "ec2:DescribeInstanceStatus", "ec2:DescribeVolumes", "ec2:DescribeInstanceAttribute" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "ec2:CreateTags", "ec2:AttachVolume" ], "Resource": [ "arn:aws:ec2:<REGION>:<Amazon ACCOUNT ID>:instance/*", "arn:aws:ec2:<REGION>:<Amazon ACCOUNT ID>:volume/*" ], "Effect": "Allow" }, { "Action": [ "cloudformation:DescribeStackResource", "cloudformation:DescribeStacks", "cloudformation:SignalResource" ], "Resource": "*", "Effect": "Allow" }, { "Action": "secretsmanager:GetSecretValue", "Resource": "arn:aws:secretsmanager:<REGION>:<Amazon ACCOUNT ID>:secret:<SECRET_ID>", "Effect": "Allow" } ] }

Amazon S3 访问

HeadNode/Iam/S3Access要么Scheduling/SlurmQueues/S3Access

此配置部分允许自定义 Amazon S3 访问权限,方法是向与集群的头节点或计算节点关联的 IAM 角色授予额外的 Amazon S3 策略(如果此类角色是由创建的)Amazon ParallelCluster. 有关更多信息,请参阅每个配置参数的参考文档。

此参数只能在以下情况下使用Amazon ParallelCluster用户是在中配置的特权 IAM 访问模式要么PermissionsBoundary模式.

其他 IAM 策略

HeadNode/Iam/AdditionalIamPolicies要么SlurmQueues/Iam/AdditionalIamPolicies

使用此选项将额外的托管 IAM 策略附加到与集群的头节点或计算节点关联的 IAM 角色(如果此类角色是由创建的)Amazon ParallelCluster.

警告

要使用此选项,请确保Amazon ParallelCluster用户被授予权限iam:AttachRolePolicyiam:DetachRolePolicy需要附加的 IAM 策略的权限。

Amazon Lambda函数角色

Iam / Roles / LambdaFunctionsRole

此选项将覆盖附加到所有人的角色Amazon Lambda创建集群过程中使用的函数。Amazon Lambda需要配置为角色所允许担任角色所用的委托人。

以下是作为此角色的一部分使用的最小策略集:

{ "Version": "2012-10-17", "Statement": [ { "Action": [ "route53:ListResourceRecordSets", "route53:ChangeResourceRecordSets" ], "Resource": "arn:aws:route53:::hostedzone/*", "Effect": "Allow" }, { "Action": ["logs:CreateLogStream", "logs:PutLogEvents"], "Effect": "Allow", "Resource": "arn:aws:logs:<REGION>:<Amazon ACCOUNT ID>:log-group:/aws/lambda/pcluster-*" }, { "Action": "ec2:DescribeInstances", "Effect": "Allow", "Resource": "*" }, { "Action": "ec2:TerminateInstances", "Condition": { "StringEquals": { "ec2:ResourceTag/parallelcluster:node-type": "Compute" } }, "Effect": "Allow", "Resource": "*" }, { "Action": [ "s3:DeleteObject", "s3:DeleteObjectVersion", "s3:ListBucket", "s3:ListBucketVersions" ], "Effect": "Allow", "Resource": [ "arn:aws:s3:::parallelcluster-*-v1-do-not-delete", "arn:aws:s3:::parallelcluster-*-v1-do-not-delete/*" ] } ] }

计算节点 IAM 角色

Scheduling / SlurmQueues / Iam / InstanceRole | InstanceProfile

此选项允许覆盖分配给集群计算节点的 IAM 角色。有关更多信息,请参阅 InstanceProfile

以下是作为此角色的一部分使用的最小策略集:

  • arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy托管的 IAM 策略。有关更多信息,请参阅创建 IAM 角色和用户以用于 CloudWatch代理人在里面亚马逊 CloudWatch 用户指南.

  • arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore托管的 IAM 策略。有关更多信息,请参阅Amazon适用于 的托管策略Amazon Systems Manager在里面Amazon Systems Manager用户指南.

  • 其他 IAM policy

    { "Version": "2012-10-17", "Statement": [ { "Action": [ "dynamodb:Query" ], "Resource": "arn:aws:dynamodb:<REGION>:<Amazon ACCOUNT ID>:table/parallelcluster-*", "Effect": "Allow" }, { "Action": "s3:GetObject", "Resource": [ "arn:aws:s3:::<REGION>-aws-parallelcluster/*" ], "Effect": "Allow" }, { "Action": "ec2:DescribeInstanceAttribute", "Resource": "*", "Effect": "Allow" } ] }

权限边界

Iam / PermissionsBoundary

这个参数强制Amazon ParallelCluster将给定的 IAM 策略作为PermissionsBoundary到作为集群部署的一部分而创建的所有 IAM 角色。

请参阅PermissionsBoundary模式获取所需的策略列表Amazon ParallelCluster用户使用此类功能。

自定义映像配置

EC2 Image Builder 实例角色

Build / Iam / InstanceRole | InstanceProfile

此选项允许覆盖分配给 EC2 Image Builder 为创建自定义 AMI 而启动的 EC2 实例的 IAM 角色。

以下是作为此角色的一部分使用的最小策略集:

  • arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore托管的 IAM 策略。有关更多信息,请参阅Amazon适用于 的托管策略Amazon Systems Manager在里面Amazon Systems Manager用户指南.

  • arn:aws:iam::aws:policy/EC2InstanceProfileForImageBuilder托管的 IAM 策略。有关更多信息,请参阅EC2InstanceProfileForImageBuilder政策在里面Image Builder 用户指南.

  • 其他 IAM policy

    { "Version": "2012-10-17", "Statement": [ { "Action": [ "ec2:CreateTags", "ec2:ModifyImageAttribute" ], "Resource": "arn:aws:ec2:<REGION>::image/*", "Effect": "Allow" } ] }

Amazon Lambda清除角色

Build / Iam / CleanupLambdaRole

此选项将覆盖附加到所有人的角色Amazon Lambda在自定义镜像构建过程中使用的函数。Amazon Lambda需要配置为角色所允许担任角色所用的委托人。

以下是作为此角色的一部分使用的最小策略集:

  • arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole托管的 IAM 策略。有关更多信息,请参阅AmazonLambda 功能的托管式策略在里面Amazon Lambda开发人员指南.

  • 其他 IAM policy

    { "Version": "2012-10-17", "Statement": [ { "Action": [ "iam:DetachRolePolicy", "iam:DeleteRole", "iam:DeleteRolePolicy" ], "Resource": "arn:aws:iam::<Amazon ACCOUNT ID>:role/parallelcluster/*", "Effect": "Allow" }, { "Action": [ "iam:DeleteInstanceProfile", "iam:RemoveRoleFromInstanceProfile" ], "Resource": "arn:aws:iam::<Amazon ACCOUNT ID>:instance-profile/parallelcluster/*", "Effect": "Allow" }, { "Action": "imagebuilder:DeleteInfrastructureConfiguration", "Resource": "arn:aws:imagebuilder:<REGION>:<Amazon ACCOUNT ID>:infrastructure-configuration/parallelclusterimage-*", "Effect": "Allow" }, { "Action": [ "imagebuilder:DeleteComponent" ], "Resource": [ "arn:aws:imagebuilder:<REGION>:<Amazon ACCOUNT ID>:component/parallelclusterimage-*/*" ], "Effect": "Allow" }, { "Action": "imagebuilder:DeleteImageRecipe", "Resource": "arn:aws:imagebuilder:<REGION>:<Amazon ACCOUNT ID>:image-recipe/parallelclusterimage-*/*", "Effect": "Allow" }, { "Action": "imagebuilder:DeleteDistributionConfiguration", "Resource": "arn:aws:imagebuilder:<REGION>:<Amazon ACCOUNT ID>:distribution-configuration/parallelclusterimage-*", "Effect": "Allow" }, { "Action": [ "imagebuilder:DeleteImage", "imagebuilder:GetImage", "imagebuilder:CancelImageCreation" ], "Resource": "arn:aws:imagebuilder:<REGION>:<Amazon ACCOUNT ID>:image/parallelclusterimage-*/*", "Effect": "Allow" }, { "Action": "cloudformation:DeleteStack", "Resource": "arn:aws:cloudformation:<REGION>:<Amazon ACCOUNT ID>:stack/*/*", "Effect": "Allow" }, { "Action": "ec2:CreateTags", "Resource": "arn:aws:ec2:<REGION>::image/*", "Effect": "Allow" }, { "Action": "tag:TagResources", "Resource": "*", "Effect": "Allow" }, { "Action": [ "lambda:DeleteFunction", "lambda:RemovePermission" ], "Resource": "arn:aws:lambda:<REGION>:<Amazon ACCOUNT ID>:function:ParallelClusterImage-*", "Effect": "Allow" }, { "Action": "logs:DeleteLogGroup", "Resource": "arn:aws:logs:<REGION>:<Amazon ACCOUNT ID>:log-group:/aws/lambda/ParallelClusterImage-*:*", "Effect": "Allow" }, { "Action": [ "SNS:GetTopicAttributes", "SNS:DeleteTopic", "SNS:GetSubscriptionAttributes", "SNS:Unsubscribe" ], "Resource": "arn:aws:sns:<REGION>:<Amazon ACCOUNT ID>:ParallelClusterImage-*", "Effect": "Allow" } ] }

其他 IAM 策略

Build / Iam / AdditionalIamPolicies

您可以使用此选项将额外的托管 IAM 策略附加到与 EC2 Image Builder 用于生成自定义 AMI 的 EC2 实例关联的角色。

警告

要使用此选项,请确保Amazon ParallelCluster用户被授予权限iam:AttachRolePolicyiam:DetachRolePolicy需要附加的 IAM 策略的权限。

权限边界

Build / Iam / PermissionsBoundary

这个参数强制Amazon ParallelCluster将给定的 IAM 策略作为PermissionsBoundary到作为自定义 AMI 构建的一部分而创建的所有 IAM 角色。

请参阅PermissionsBoundary模式获取使用此类功能所需的策略列表。